How to Provide Protection In-Depth for Your Smart Grid

Jun 07, 2019

Smart grids are a critical national resource, and like any other, are subject to cyber attack. To date, smart grid cybersecurity strategies have focused on the perimeter. What happens when an attack is successful, and a cybercriminal gets past the perimeter? This is when defence in depth is needed.

A tempting target

A smart grid is a DSO’s (Distribution System Operator) largest investment and a national asset upon which mission critical and life-saving services rely. Government, business and residents rely on the service it provides every second of the day. It provides the energy supplier with their revenue, and through it, the DSO has access to highly privileged and sensitive customer information.

To achieve the social and economic benefits of a smart grid, sophisticated equipment has been deployed further into the less regulated and secured low-voltage grid. Whilst this meets the objectives for smart grid, it creates more points of entry that a cyber-criminal can exploit.

High profile and prestige smart city initiatives depend on smart grid for efficiency and optimisation – a successful attack could bring a smart city to its knees. So, these targets are attractive for extortion or high profile disruption – both motivators for financial and hostile government sponsored attackers.

These are not the only attractive targets – terrorism motivated attacks focus on many targets across the globe. Potentially all smart grids are a target to attacks focused on political or sectarian drivers.

Is protecting the perimeter enough?

The Information and Communications Technology (ICT) industry has found, to its cost, that relying on perimeter defence against cybercriminals is insuﬃcient. A perimeter is a combination of ICT, processes and people. Even where the ICT piece achieves high theoretical protection, it is the process and the people that can create “loop-holes”, which the cyber-criminals are highly skilled at exploiting.

This is equivalent to relying solely on the strength of your locks to your home and hoping that no one else has a key or can pick the lock!

Modern cybersecurity solutions are a combination of defence in depth with the assumption that, eventually, protection will be breached. This means that only when detection and response are coupled with protection, is it possible oﬀer a comprehensive defence.

If the smart grid was your home, you would be subscribing to a local community watch project (to monitor general threat), installing video cameras in front of your door (to monitor specific threat) and installing a burglar alarm within your home (to monitor for successful intrusion).

How strong can the perimeter be?

The smart grid is increasingly complex. Upgrading the perimeter to the latest standards may simply be too disruptive and time-consuming to do quickly and in response to new attack mechanisms. The reality is that the attacker always has the initiative and technology will lag – both in creating the solution and deploying it across national infrastructures.

The perimeter will always be porous.

If the smart grid was your home, you would be changing the locks every week!

Is visibility of security events enough?

Even if a DSO is aware of security events, they can be missing important indicators of attack, simply because they are lost in the background of low-level threat indicators and false positives. Common responses are to log everything or log nothing. In either case, some DSOs may be unable to spot the key indicators which would allow them to adopt a modiﬁed security posture in response to a threat or to react to block an attack or limit a penetration.

Making sense of all the information

A key concept implemented in many SIEM (Security Information and Event Management) systems is correlation of large volumes of isolated and (potentially) false positive events against a wide set of contextual information. Such context may include scheduled events, topological or geographical information, known threat information, historic information, known and anticipated methods of attack and actual attack elsewhere.

The challenge is that ICT SIEMS are focused on ICT infrastructure and do not have built-in “understanding” of smart grids to make sense of the specific information or context.

What is required in a SIEM is the ability to:

Monitor the smart grid without interrupting or disrupting the key service it offers

Interpret events from the smart grid

Have the right context by which to assess these events

Identify and be familiar with the types of attacks, which are specific to a smart grid,

Have awareness of attacks across a community.

With this new generation of SIEM, it is possible to build a defence in depth for the smart grid.

Outcomes of defence in depth

With such a SIEM in place, the DSO can defend itself in depth, and not rely on solely on the perimeter.

This is a little like being in the community crime watch, having a security camera outside your house and a burglar alarm inside. To continue the analogy, a home owner may even accept older locks if they have the deterrent and defence in depth.

Defence in depth provides for:

Evaluation of the current threat-level and changes over short, medium and long-term

Detection of a specific threat and initiation of responses to harden the smart grid in readiness for attack

Detection of attack and initiation of responses to protect the infrastructure within the perimeter

Detection of a successful intrusion and initiation of responses to limit damage

Shared information across a community concerning threat level and actual attacks

Localisation of the threat with the opportunity to go on the offensive against the cyber-criminal!

The business outcome

DSOs with such an SIEM will be less vulnerable to denial of service attack or ransom, theft of corporate or customer information, theft of smart grid infrastructure, and may also enjoy lower corporate insurance premiums.

The social outcome

Consumers will be less vulnerable to disruption of supply and publication of personal information.